OAuth 2.0 relies on the concept of scopes to control access to resources. The resources in AS ABAP are mapped to SAP NetWeaer Gateway OData services. One OData service in Gateway is assigned to exactly one OAuth 2.0 scope. How to create a Gateway Service is out of scope for this document. In this example the activation of an OData service (ZLEAVEREQUEST) and the assignment to an OAuth 2.0 scope is demonstrated.

As the configuration in AS ABAP release 7.31 and 7.40 are different, both will be described seperately in this document.

Table of Contents:

AS ABAP 7.31 Configuration

In AS ABAP 7.31, a separate report (attached to SAP Note 1797103) is used to create an OAuth 2.0 scope for an OData service. The following steps demonstrate how to enable the OData service (ZLEAVEREQUEST) and create a OAuth 2.0 scope for this service.

1. Start transaction SPRO and click SAP Reference IMG.

2. Go to Activate and Maintain Services.

3. All configured services are listed in the Service Catalog section. Choose the Service button to open the Add Service popup.

4. Select the ZLEAVEREQUEST service from the service list. Put the required information into the popup window as shown in the figure and press OK.

Now the ZLEAVEREQUEST service is activated.

5. Make sure the ZLEAVEREQUEST is marked as active in the ICF Nodes section.

6. To assign the ZLEAVEREQUEST service to an OAuth 2.0 scope, a dedicated report is used.

Go to transaction SE38 and execute report /IWFND/R_OAUTH_SCOPES to create OAuth 2.0 scope. In Service Doc. Identifier field supply the tecnical name of the ZLEAVEREQUEST service (service name_version).

AS ABAP 7.40 Configuration

In AS ABAP 7.40, the OAuth 2.0 scope assignment is integrated into the Gateway service maintenance UI. The OData service (ZLEAVEREQUEST) is used in this example.

1-3. The first three configuration steps are the same as in the above configuration for AS ABAP 7.31.

4. Select the ZLEAVEREQUEST service from the service list. A window will pop up for adding a service.

Put the required information like the right screenshot and select option “Enable OAuth for service” and click OK.

ZLEAVEREQUEST will be activated and the service will be assigned to an OAuth 2.0 scope.

5. If OAuth 2.0 had not been enabled while activating the service, it can be added afterwards by clicking the OAuthbutton.

This will enable the selected service for OAuth and will create an OAuth 2.0 scope for it.

6. A popup window gives corresponding information and asks if you want to enable this service for OAuth 2.0.

Clicking Yes will generate an OAuth 2.0 scope for this service and will replace your service's ICF handler with a handler that supports OAuth 2.0.

Adding a service assignment to an OAuth 2.0 scope seems pretty straight forward, but removing the scope after it's been added isn't so easy. Do you have any illustrations on how to remove the scope from a service once it's been added?